What's New

Data-in-Use Protection on IBM Cloud Kubernetes Service Using Intel® SGX

Share this post:

Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service

The growth of container and microservices adoption across industry continues to accelerate at impressive rates. According to Forrester’s report on Container Security, 58% of developers report that their companies currently use containers or plan to use containers in the next 12 months.

However, according to the same report, security concerns about containers are still top of mind—43% of the respondents said that security was a challenge hindering container adoption. When we talk to our customers, their concerns revolve around understanding the security paradigm shift when using containers and microservices and providing the same level of isolation and insights that they get from on-prem compute resources.

Today, we are excited to announce Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service to help address some of the data protection concerns.

IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications, all while leveraging advanced cloud services like blockchain, IoT, and AI through IBM Watson.

Announced in March 2018, bare metal worker nodes provide greater isolation and performance for containerized workloads. Now with the Intel® SGX capability, developers can protect their code and data through CPU hardened “enclaves” or a trusted execution environment (TEE)

Intel® SGX worker nodes on IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service provides ease of operations (multizone worker node clusters, HA master nodes, platform upgrades for security and open-source updates, and worker node auto-scaling) in a secure (access controls using resource groups, customer managed keys with IBM Key Protect, fine-grained access controls for IBM Cloud Container Registry and the Kubernetes Service with Identity and Access Manager) and compliant environment (HIPAA-ready, SOC 1, SOC 2 Type 1, ISAE 3402) where you want to run it (Tokyo MZR, San Jose, Oslo, Milan, and our existing data centers). With the support for Intel® SGX worker nodes, it brings those capabilities to your runtime memory protected workloads.


Take the following steps to provision Intel® SGX bare metal worker nodes on the IBM Cloud Kubernetes Service:

  1. Go to the IBM Cloud catalog and select Kubernetes Service under Containers:
  2. Click Create on the next screen:
  3. Select Bare Metal under Hardware isolation and choose the highlighted bare metal flavor (mb2c.4×32). The bare metal worker nodes come SGX-enabled in the BIOS:
  4. Bare metal server provisioning may take several hours. Once you have the cluster up, you will see the Normal status for the cluster:

Installing Intel® SGX driver and PSW

You can install Intel® SGX driver and PSW by deploying datashield-sgx-driver-psw-installer container to your cluster.


You can find Intel® SGX-enabled container applications—MySQL, Vault, Nginx—in the IBM Cloud Container Registry public repositories. (Search for datashield-mysql/vault/nginx.)

The IBM Cloud docs on getting started are located here.

Engage us

If you have questions or concerns, engage our team on Slack. You can register here and join the discussion in the #general channel on https://ibm-container-service.slack.com/.

Christopher Rosen

Program Director, Offering Management, IBM Kubernetes Service & IBM Container Registry

More What's New stories
November 8, 2018

Introducing More Flexibility and Control for IBM Cloud Account Management Services Access

IBM Cloud is excited to announce more flexibility and control for account management services like billing, user management, and global catalog. This update means that key account management functions can now be granted to other users in your account with IBM Cloud Identity and Access Management policies.

Continue reading

November 7, 2018

IBM Cloud Functions Adds Support for Ruby 2.5

IBM Cloud Functions is welcoming Ruby 2.5 as a natively supported programming language. Join the Serverless revolution and start building cloud-native apps.

Continue reading

November 5, 2018

Announcing IBM Cloud Data Shield Experimental – Scalable Data-in-Use Protection for Your Container Workloads

Data Shield, powered by Fortanix, provides data-in-use protection for your container workloads running on the IBM Cloud Kubernetes Service. It leverages Intel® SGX technology to run code and data in CPU-hardened “enclaves” or a Trusted Execution Environment (TEE).

Continue reading